CVE-2025-60868

MEDIUM

Alt Redirect < 1.6.4 - Authentication Bypass via Query String Parameter Spoofing

Title source: llm
STIX 2.1

Description

The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip query string parameters when the "Query String Strip" feature is enabled. Case variations, encoded keys, and duplicates are not removed, allowing attackers to bypass sanitization. This may lead to cache poisoning, parameter pollution, or denial of service.

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0021
EPSS Percentile 11.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-290
Status published
Products (1)
alt-design/alt-redirect 0 - 1.6.4Packagist
Published Oct 10, 2025
Tracked Since Feb 18, 2026